Director of Security & IT

Founded in 2019, Nayya is on a mission to connect people’s most important information, so they can thrive in their health and wealth. Powered by AI and advanced analytics, Nayya’s platform transforms complex benefits experiences into intuitive, seamless, and ongoing interactions—meeting people's real world needs. As a trusted platform and partner to leading employers, benefits solutions, and HR tech providers, Nayya unlocks long-term value through helping employees live more resilient lives. Backed by strategic investors like ICONIQ, Felicis Ventures, SemperVirens, Workday Ventures, MetLife Nextgen Ventures, and ADP Ventures, Nayya is ushering in the future of health and wealth for all. Role Summary: We are seeking a Director of Security & IT to lead Nayya's security strategy, compliance programs, and IT operations. This role will serve as the single point of accountability for protecting sensitive health and financial data, maintaining regulatory compliance, and ensuring the reliability and security of internal technology systems. Nayya is a benefits intelligence platform serving approximately 5 million employees. Our AI-powered platform delivers personalized guidance grounded in real plan data and claims history. The security and compliance requirements of this environment are significant: we handle Protected Health Information (PHI) at scale and operate under HIPAA, SOC 2, and other regulatory frameworks. This role reports to the Chief Product & AI Officer. The Director of Security & IT will partner closely with Engineering on infrastructure security while maintaining independent ownership of the security program, compliance posture, and IT operations. Key Responsibilities Security Program Leadership Lead the design, implementation, and continuous improvement of a comprehensive security program spanning application security, infrastructure security, data protection, and incident response. Implement and manage vulnerability assessments, penetration testing, and security audits to identify and mitigate risks across IT infrastructure and systems. Develop and maintain security policies, procedures, and controls aligned to SOC 2 Type II and HIPAA Security Rule requirements. Coordinate response to security incidents, including root cause analysis, containment, remediation, and legal reporting requirements. Own identity and access management (IAM) strategy, ensuring least-privilege access controls across production systems, cloud environments, and internal tools. Implement encryption, access control, audit logging, and other technical safeguards to meet HIPAA security requirements for data at rest, in transit, and during processing. Compliance & Risk Management Own SOC 2 Type II compliance initiatives, including audit preparation, controls documentation, evidence collection, and remediation of findings. Ensure compliance with HIPAA Privacy and Security Rules across Nayya's handling of PHI, including technical safeguards and organizational policies. Develop and maintain a risk management framework that identifies, evaluates, and prioritizes security and compliance risks, ensuring alignment with applicable regulations. Conduct regular risk assessments and vulnerability scans to proactively address potential compliance gaps. Prepare for and manage regulatory audits, customer security assessments, and external inspections related to data security and privacy. Stay current on emerging trends in healthcare data privacy regulations (HIPAA, HITECH, state-level requirements) and assess their impact on company policies and procedures. IT Operations & Help Desk Services Oversee day-to-day IT operations, ensuring all systems, networks, and applications function effectively and securely with minimal downtime. Lead the internal IT help desk function, ensuring timely resolution of technical issues with clear escalation protocols and service level agreements (SLAs). Monitor help desk performance metrics and implement improvements based on organizational needs. Manage IT asset lifecycle, including procurement, tracking, maintenance, and compliance with company policies. Ensure effective onboarding and offboarding processes for IT systems, with a focus on security awareness and HIPAA compliance training. Vendor & Third-Party Risk Management Evaluate and manage relationships with cloud providers, vendors, and third-party services to ensure they meet HIPAA and SOC 2 security and privacy requirements. Conduct due diligence and security assessments of third-party vendors, ensuring alignment with Nayya's data protection and compliance standards. Negotiate and manage contracts and SLAs to ensure third-party vendors meet security, compliance, and privacy expectations. Cross-Functional Collaboration Partner closely with the VP of Engineering on cloud security, infrastructure hardening, disaster recovery, and production access controls. Work with Legal, Finance, and People teams to ensure security and data privacy strategies align with business operations and legal obligations. Serve as the primary security and compliance liaison for enterprise customers, partners, and prospects during due diligence and procurement processes. Act as a strategic advisor to senior leadership on security investments, balancing risk mitigation against operational constraints and business priorities. Provide regular reports to the executive team on the status of security initiatives, compliance posture, and audit results. Lead, mentor, and develop a team of security, IT, and compliance professionals. Foster a culture of continuous improvement to stay ahead of cybersecurity threats and regulatory changes. Provide training to team members and the broader organization on security best practices, with emphasis on HIPAA compliance and PHI protection. Qualifications Required 10+ years of experience in security, IT infrastructure, and compliance, with at least 3 years owning a security function in a leadership capacity. Experience at a scaling software or AI company (50-1,000 employees) with exposure to the tradeoffs of building security programs with constrained resources. Proven depth in HIPAA compliance, healthcare data protection, and SOC 2 Type II audits. Strong understanding of cloud security architecture (AWS), network security, container security, and production access patterns. Experience building or significantly maturing security and compliance programs, not solely operating existing ones. Demonstrated ability to operate cross-functionally with Engineering, Legal, Finance, and People teams, turning ambiguity into structured execution. Strong program execution skills with a track record of driving multi-quarter initiatives across security, compliance, disaster recovery, access management, and vendor risk. Sound judgment in high-trust environments involving sensitive systems, company risk, customer data, and internal operations. Strong people leadership with experience managing technical teams, setting expectations, and creating accountability. Ability and willingness to go deep in a hands-on way where needed and delegate to the team where appropriate. Experience in healthcare, benefits, fintech, or another regulated environment where data sensitivity and compliance requirements are material. Preferred Relevant certifications: CISSP, CISM, CCSP, AWS Certified Solutions Architect, or similar. SOC 2 and HIPAA-specific credentials are highly desirable. Hands-on technical capability to engage in architecture discussions, evaluate operational tradeoffs, and assess technical risk directly when needed. A bias toward simplicity and prioritization across a broad surface area, focusing effort on what materially reduces risk and improves reliability. The salary range for New York based candidates for this role is $226,000- $275,000. We use a location factor to adjust this range for candidates that are located outside of geographic region of our New York office. Placement within the salary band is determined based on experience. Nayya is proud to be an Equal Employment Opportunity employer. We do not discriminate based upon race, religion, color, national origin, gender (including pregnancy, childbirth, or related medical conditions), sexual orientation, gender identity, gender expression, age, status as a protected veteran, status as an individual with a disability, or other applicable legally protected characteristics Location New York, NY, USA Work Mode On-site Seniority Director Function IT Salary USD 226k-275k / year Company Size 51-200 employees Skills Audit Report Preparation Encryption Identity And Access Management Incident Response Network Security Penetration Testing Regulatory Compliance Risk Management Security Strategies Team Leadership Vulnerability Assessments #J-18808-Ljbffr Social Leverage LLC